mongodb · EspenAlbert · Jun 23, 2025
@@ -0,0 +1,87 @@
+{
+ "$or": [
+  {
+   "users": []
+  },
+  {
+   "$and": [
+    {
+     "$or": [
+      {
+       "users": {
+        "$elemMatch": {
+         "$or": [
+          {
+           "db": "admin"
+          },
+          {
+           "db": "$external"
+          }
+         ]
+        }
+       }
+      },
+      {
+       "roles": {
+        "$elemMatch": {
+         "$or": [
+          {
+           "db": "admin"
+          }
+         ]
+        }
+       }
+      }
+     ]
+    },
+    {
+     "$or": [
+      {
+       "atype": "authCheck",
+       "param.command": {
+        "$in": [
+         "aggregate",
+         "count",
+         "distinct",
+         "group",
+         "mapReduce",
+         "geoNear",
+         "geoSearch",
+         "eval",
+         "find",
+         "getLastError",
+         "getMore",
+         "getPrevError",
+         "parallelCollectionScan",
+         "delete",
+         "findAndModify",
+         "insert",
+         "update",
+         "resetError"
+        ]
+       }
+      },
+      {
+       "atype": {
+        "$in": [
+         "authenticate",
+         "updateUser",
+         "grantRolesToUser",
+         "revokeRolesFromUser",
+         "createRole",
+         "updateRole",
+         "dropRole",
+         "dropAllRolesFromDatabase",
+         "grantRolesToRole",
+         "revokeRolesFromRole",
+         "grantPrivilegesToRole",
+         "revokePrivilegesFromRole"
+        ]
+       }
+      }
+     ]
+    }
+   ]
+  }
+ ]
+}
@@ -0,0 +1,36 @@
+# Specify an auditing resource and enable auditing for a project.
+# To configure auditing, specify the unique project ID. If you change
+# this value to a different "project_id", this deletes the current audit
+# settings for the original project.
+
+# "audit_authorization_success" indicates whether the auditing system
+# captures successful authentication attempts for audit filters using
+# the "atype" : "authCheck" auditing event. Warning! If you set
+# "audit_authorization_success" to "true", this can severely impact
+# cluster performance. Enable this option with caution.
+
+# "audit_filter" is the JSON-formatted audit filter.
+# "enabled" denotes whether or not the project associated with the
+# specified "{project_id}"" has database auditing enabled. Defaults to "false".
+
+# Auditing created by API Keys must belong to an existing organization.
+
+# In addition to arguments listed previously, the following attributes
+# are exported:
+
+# "configuration_type" denotes the configuration method for the audit filter.
+# Possible values are:
+# - "NONE" - auditing is not configured for the project.
+# - "FILTER_BUILDER" - auditing is configured via the Atlas UI filter builder.
+# - "FILTER_JSON" - auditing is configured via a custom filter in Atlas or API.
+
+locals {
+  audit_filter_json = var.audit_filter_json != "" ? var.audit_filter_json : "${path.module}/audit_filter.json"
+}
+resource "mongodbatlas_auditing" "this" {
+  project_id   = var.project_id
+  audit_filter = file(local.audit_filter_json)
+
+  audit_authorization_success = false
+  enabled                     = true
+}
@@ -0,0 +1,4 @@
+provider "mongodbatlas" {
+  public_key  = var.public_key
+  private_key = var.private_key
+}
@@ -0,0 +1,21 @@
+variable "public_key" {
+  description = "Public API key to authenticate to Atlas"
+  type        = string
+  default     = ""
+}
+variable "private_key" {
+  description = "Private API key to authenticate to Atlas"
+  type        = string
+  default     = ""
+}
+
+variable "project_id" {
+  type        = string
+  description = "Atlas Project ID"
+}
+
+variable "audit_filter_json" {
+  type        = string
+  description = "Path to the JSON file containing the audit filter configuration. Will use audit_filter.json as the default value."
+  default     = ""
+}
@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    mongodbatlas = {
+      source  = "mongodb/mongodbatlas"
+      version = "~> 1.34"
+    }
+  }
+  required_version = ">= 1.0"
+}